https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7304
Bug ID: 7304
Summary: spamc: string comparison in option parsing can read
out of bounds
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: spamc/spamd
Assignee: [email protected]
Reporter: [email protected]
Created attachment 5380
--> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5380&action=edit
patch to replace memcmp with strncmp
The function spamc_getopt_long() can read out of bounds in certain situations.
This can be tested by compiling spamc with address sanitizer
(-fsanitize=address in CFLAGS/LDFLAGS) and running e.g.
/spamc --xxxxx
(every long opt with 5 chars or more will trigger it)
The source of the error is this code:
if((memcmp(longopt+2, longopts[i].name, longoptlen)) == 0) {
The problem here is that memcmp always reads all bytes in both variables and
thus if longoptlen is more than the length of longopts[i].name it will read
invalid memory.
The fix is simple: use strncmp instead of memcmp. See attached patch, please
apply.
--
You are receiving this mail because:
You are the assignee for the bug.
